Application and Infrastructure Architecture V1 Latest version 11/11/2015 APPLICATION AND INFRASTRUCTURE ARCHITECTURE: INTERNALLY HOSTED SYSTEM CHECKLIST Project Name: Click here to enter text. Product Name: Click here to enter text. Completed By: Click here to enter text. Last Updated on: Click here to enter a date. This checklist should be completed by the project technical lead, in conjunction with the supplier, for systems that are anticipated to be internally hosted by IMT on behalf of the School. It is a living document, which should develop with the project. At key stages the questionnaire should be sent to the Information Security Team for signoff. This should be at least: 1. During the Design phase of the project. 2. Before completion and rollout. Systems hosted in the cloud should use the Cloud Questionnaire. Principle / Type Check / Comments A UTHENTICATION Active Directory LDAP (with secure pass through to AD) Kerberos (with secure trust to AD) Shibboleth/ADFS/CAS External Collaboration Access Framework (Fast provisioning of accounts for external collaborators) Exception Required? - A UTHORIS ATION & A C CESS C ONTROL Security Groups IP Access Control List DMZ/Zoning Security Bubble Exception Required? T HIRD PARTY R EMOTE A CCESS T O S YSTEMS A ND D ATA Jumphost via remote.lse.ac.uk Pulse client via remote.lse.ac.uk Site-to-Site VPN SSH via SSH Gateway Exception Required? - A DMINISTRATIVE (LSE STAFF ) A CCESS IP access control list SSH Remote Desktop Jumphost via remote.lse.ac.uk Network zone Internal only Confidential to LSE November 2015 Page 1 of 4 Principle / Type Check / Application and Infrastructure Architecture V1 Latest version 11/11/2015 Comments Exception Required? S ERVER O PERATING S YSTEMS MS Windows Server Linux (specify) Exception Required? - SAN based Disk enclosure NAS Local storage CIFS file share (Windows) NFS file share (Linux) Exception Required? - D ATA S TORAGE D ATA M ANAGEMENT Backup required Archive/retention period D ATABASE T ECHNOLOGY Microsoft SQL Server Oracle MySQL Exception Required? - D ATA I NTERCHANGE & S TANDARDS XML SOAP Flat / CSV data files Database Links Exception Required? SOA T ECHNOLOGIES Shared Services (SOA/Web) WSDL Messaging (XML/BPEL) Service Bus Facilities Service Registration Exception Required? - W EB A PPLICATION S ERVER T ECHNOLOGIES Microsoft IIS and associated technologies (ASP.NET – MVC Framework, AJAX, Silverlight) Apache, JSP PHP Java and Tomcat RabbitMQ HTML – v4, v5 or XHTML Exception Required? DESKTOP O PERATING S YSTEMS Microsoft Windows Apple MacOS Linux (specify) Confidential to LSE November 2015 Page 2 of 4 Principle / Type Exception Required? Check / - Application and Infrastructure Architecture V1 Latest version 11/11/2015 Comments M OBILE D EVICE S UPPORT Apple iOS Google Android Windows Phone Exception Required? - W EB B ROWSER S UPPORT Microsoft Internet Explorer Mozilla Firefox Apple Safari Google Chrome Exception Required? - S ECURITY Externally facing service (requiring DMZ) Internally-facing service, but which AD users will need to access from outside (i.e. via remote.lse.ac.uk SSL VPN) Other user access requirements (describe) Web log in / data input under SSL certificate Application communications / traffic encrypted Servers located in appropriate firewall protected network zones Conforms to School security policies and practices Security audit completed and action plan agreed Exception Required? - F UTUREPROOFING Does the application / system have an upgrade path? Does the application / system rely on any programs that cannot be updated (e.g. Java versions etc)? Does the application / system support operating system upgrades and updates? Is the supplier responsible for installing any updates? W EB B RANDING AND A CCESSIBILITY Site branding and ‘look and feel’ approved by IMT Communications Manager European Web Content Accessibility Guidelines (WCAG) compliant Exception Required? Confidential to LSE - November 2015 Page 3 of 4 Application and Infrastructure Architecture V1 Latest version 11/11/2015 E XCEPTION STATEMENT If any of the ‘Exception Required?’ sections are completed above please supply a brief statement outlining the need for such an exception below. Please include details of where and with whom the exception(s) has been discussed: Click here to enter text. Confidential to LSE November 2015 Page 4 of 4